1. Field of the Invention
This invention relates to the field of information network security, and more particularly relates to a method and data structure for user group identifier formation.
2. Description of the Related Art
Flexible network access technologies such as wireless, Dynamic Host Configuration Protocol (DHCP), virtual private network (VPN) gateways and the like allow users access to a given protected network from a variety of access or entry points. This is true of all manner of networks, including enterprise networks, service provider networks and the like. At the same time, the security afforded while providing such access is of increasing concern. Technologies based on Remote Authentication Dial-In User Service (RADIUS), Terminal Access Controller Access Control System (TACACS), the DIAMETER protocol and other protocols allow a user to be authenticated upon entry to the network.
As is known, communications paths across such networks are conceptually separate (e.g., can be viewed as separate virtual paths), although they may traverse some or all of the same network devices (i.e., physical segments), and so are controlled separately using, for example, access control lists (ACLs). Conventionally, constraints upon access enjoyed by network users are enforced by ACLs, which are used to process packets and so control the network traffic of such users. For scalability and manageability, conventional ACLs require the mapping of a user host address (as the source of the given packet(s); for example, an internet protocol (IP) address) to be relatively static, or the security policy to be sufficiently lax to allow all addresses possible for the user.
Providing effective network security with traditional ACLs is problematic for a number of reasons. First, it is becoming increasingly difficult to generate and maintain the number of ACLs needed to protect a growing network. ACLs are conventionally applied to a given interface and contain IP addresses which tie the security policy directly to the network topology. As a result, a change in the network such as repartitioning of sub-nets causes the security policy to be revisited. Moreover, it would appear that ACLs in various parts of the network would need to be updated each time a user authenticated to the network, in order to add rules associated with the source IP address assigned to this user's host, which would be specific to that user. This would cause a huge increase in the number of unique ACLs and dramatically increase the rate at which such rules would have to be updated.
Furthermore, there also exists the problem of the generating an ACL large enough to define access control for an increasing number of individual IP addresses in a network. The number of entries in an ACL is often the number of source addresses multiplied by the number of destination addresses, multiplied by the number of permissions. As a result, the addition of a single individual IP address can have a significant impact on the size of a substantial number of ACLs. Therefore, the addition of a single IP address can result in a dramatic increase in the cost of generating and maintaining the ACLs.
When a customer changes the network topology, the ACLs must be reexamined. Since such ACLs can quite easily reach several hundred or even several thousand of lines in length, such a reexamination can be non-trivial, to say the least. Due to the complexity of such an ACL, the confidence in the changes that are made is not very high, typically, and the ACLs often require extensive testing by the user before being placed in a production environment. Moreover, because platforms using content-addressable memories (CAMs) to implement ACLs require recompiling of some or all of the ACLs when any change is made, the increases in processing cost can be quite severe, approaching a quadratic in the number of users. These increases in complexity increase the chance of a network outage, a security hole, or both. Therefore, placing such ACLs throughout the enterprise network therefore impacts the manageability of today's networks. Given the foregoing, particularly in light of the increasingly flexible access that is required now and will be required in the future, relying on existing ACL management, generation and maintenance is difficult.
What is required, then, is a mechanism that allows for the efficient generation and maintenance of network access control information. Preferably, such an approach should employ existing ACL technology, while making the generation of ACLs more efficient. Also preferably, such an approach should simplify ACL maintenance without incurring a disproportionate administrative burden or consuming inordinately large amounts of network resources.